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(57) Abstract: Proposed is a method and 
authentication server (4) for controlling 
access of a user to a resource accessible 
through a first communications network 
(5) by means of a first communication 
terminal (1, 3). An address (72) of a 
second communication terminal (2, 3) 
is stored at the authentication server (4) 
as part of personal user information (7). 
The authentication server (4) transmits 
a challenge code over a second com- 
munications network (6) to the second 
communication terminal (2, 3) identified 
by said address (72). The challenge code 
received by the second communication 
terminal (2, 3) is transmitted by the 
first communication terminal (1, 3) over 
the first communications network (5) 
to the authentication server (4). The 
authentication server (4) compares the 
challenge code received from the first 
communication terminal (1, 3) to the 
challenge code transmitted to the second 
communication terminal (2, 3), and 
the authentication server (4) grants the 
user access to the resource after having 
validated the challenge code received 
from the first communication terminal 
(1, 3). 
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Method and Authentication Server for Controlling Access to a Resource 
Accessible Through a Communications Network 



SPECIFICATION 

5 Technical Field 

The present invention relates to a method and an authentication 
server for controlling access to a resource accessible through a 
communications network. Specifically, the present invention relates to a method 
and an authentication server for controlling access of a-user to a resource 
10 accessible through a communications network, for example the Internet, 

whereby user identification information entered by the user on a communication 
terminal is transmitted over the communications network to the computerised 
authentication server and compared to user identification information stored in 
the database of the authentication server. 

15 

Background Art 

Typically, controlling access to hardware or software resources 
available in a communications network requires some form of user 
identification. The resources are accessed by the users through the 

20 communications network by means of communication terminals such as 
personal computers, personal data organizers or mobile radio telephones. 
Examples of software resources accessible through communications networks 
include software programs, software directories, databases and web pages. 
Before getting granted access to a controlled resource, the user is requested to 

25 enter user identification information on his communication terminal. The user 
identification information entered by the user is transmitted over the 
communications network to a computerised server, for example an access 
control server or an authentication server. The server compares the received 
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user identification information to user identification information stored in a 
database of the server and grants the user access to the resource, if the 
received user identification information is validated, i.e. if the received user 
identification information corresponds to the stored user identification 
5 information. The user identification information comprises, for instance, a user 
name or log-in name and a secret user password or log-in password. In order to 
prevent eavesdropping of the user identification information, at least the secret 
password is typically transmitted over the communications network in encrypted 
form. 

10 To reduce the risk of granting access to a resource to an 

unauthorised user, who has discovered a secret user password through trial 
and error, or who has been given a secret user password by an authorised 
user, for example, an additional level of security has been added for controlling 
access over a communications network to resources such as banking services. 

15 The user is given a personal list with secret codes. With every access to the 
controlled resource, in addition to the user identification information, the user is 
requested to enter the secret code on top of the list on his communication 
terminal and subsequently delete that secret code from the list. Even an 
unauthorised user who knows the secret password cannot access the resource 

20 without access to this list. Nevertheless, users, particularly mobile users, find 
the use of such lists not very convenient. On one hand, resources cannot be 
accessed without having the list ready at hand. On the other hand, keeping the 
list on one's person increases the risk of losing the list or having it stolen. 
Furthermore, the personal code lists can become a real nuisance to users who 

25 have made an error in deleting a secret code from the list, be it that they forgot 
to delete a code, or be it that they deleted more than one code. Maintaining the 
list means additional overhead for the users as well as for the resource or 
service provider. Providers need to ensure that the users are supplied with new 
lists, whenever the secret codes on a list have all been used. 
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Disclosure of Invention 

It is an object of this invention to propose a new and improved 
method and authentication server for controlling access to a resource 
accessible through a communications network, whereby the new method and 
5 authentication server at least do not have some of the disadvantages of the 
prior art. 

According to the present invention, these objects are achieved 
particularly through the features of the independent claims. In addition, further 
advantageous embodiments follow from the dependent claims and the 
10 description. 

According to the present invention, these objects are particularly 
achieved in that for a user, who attempts to access a resource accessible 
through a first communications network by means of a first communication 
terminal, an address of a second communication terminal is stored at an 

15 authentication server and the authentication server transmits a challenge code 
over a second communications network to the second communication terminal 
identified by said address. According to the present invention, the challenge 
code received by the second communication terminal is transmitted (returned) 
by the first communication terminal over the first communications network to the 

20 authentication server, the authentication server compares the challenge code 
received from the first communication terminal to the challenge code 
transmitted to the second communication terminal, and the authentication 
server grants the user access to the resource after having validated the 
challenge code received from the first communication terminal. 

25 This approach for controlling access to a resource accessible 

through a communications network has the advantage that an additional layer 
of security and control is added to the verification of submitted user 
identification information, including a user name and password, for example, 
without adding the overhead required for maintaining personal lists of secret 

30 codes. An unauthorised user, who knows the user identification information of 
an authorised user, cannot get access to the controlled resource, unless, at the 
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time of access, he is also in possession of the authorised user's second 
communication terminal or of the authorised user's subscriber identification 
module (SIM) linking said address to the second communication terminal, 
respectively. Without possession of the second communication terminal or the 

5 SIM, respectively, at the time of access, the unauthorised user cannot receive 
the challenge code from the authentication server and is, therefore, in no 
position to return the challenge code to the authentication server. Access to the 
resource can thus be controlled by checking the knowledge of information, 
namely the user identification information, and by checking the presence of a 

10 pre-defined physical device, namely the personal communication terminal or 
the SIM, respectively, of the authorised user who is identified by the user 
identification information. The possession of a specific pre-defined physical 
device at the time of access as a prerequisite for being granted access to a 
resource is more stringent than a personal code list because, unlike such a list, 

15 the physical device, i.e. the communication terminal or the SIM, cannot be 

easily copied and shared. Moreover, the security is increased because different 
communications networks are used to transmit the secret challenge code. 

In an embodiment of the present invention, a timer is started by the 
authentication server after the challenge code has been transmitted to the 

20 second communication terminal, and the user is denied access to the resource, 
if the challenge code is not received from the first communication terminal 
within a pre-defined time period. Through specification of a time-limit for 
returning the challenge code to the authentication server, it is possible to 
reduce the risk that an authorised user receiving the challenge code on his 

25 communication terminal communicates the received challenge code to an 
unauthorised user in a different location, who is using the user identification 
information of the authorised user. 

In an embodiment of the present invention the personal user 
information is linked to a serial number, the serial number identifying a specific 
30 resource, and the user is requested to enter the serial number on the first 
communication terminal prior to the entry of the user identification information. 
Linking the personal user information to a serial number identifying a resource 
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has the advantage that access of a user can be controlled for one or more 
specific resources. 

In an embodiment of the present invention the resources are 
computer software objects such as computer programs, e.g. computer games, 

5 computer databases, computer data, computer directories or web pages, 
located on the Internet, for example on the worldwide web; the second 
communication terminal is a mobile communication terminal, for example a 
mobile radio telephone, whereby the phone number assigned to the mobile 
communication terminal is used as the address; the challenge code is 

10 generated by means of a random generator; and the challenge code is 
transmitted by the authentication server over a mobile radio network to the 
mobile communication terminal by means of data messages such as SMS 
(Short Message Services) or USSD messages (Unstructured Supplementary 
Services Data). The first communication terminal is for example a personal 

15 computer equipped for communication over the Internet; however, the first 
communication terminal can also be a mobile communication terminal, for 
example a personal data assistant or a mobile radio telephone, equipped to 
access both the Internet and the mobile radio network, so that the first 
communication terminal and the second communication terminal are one and 

20 the same physical device. 

In addition to the method and authentication server for controlling 
access to a resource accessible through a communications network, the 
present invention also relates to a computer program product comprising 
computer program code to direct a computerised server to execute the 
25 functions of the authentication server and to a computer-readable data carrier, 
encoded with data representing a computer program, that makes it possible to 
direct a computerised server to execute the functions of the authentication 
server. 



30 
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Brief Description of Drawings 

The present invention will be explained in more detail, by way of 
example, with reference to the drawings in which: 

5. Figure 1 is a block diagram illustrating an authentication server 

connected to two communications networks, communication terminals being 
connected to the communications networks. 

Figure 2 is a block diagram illustrating personal user information 
linked to a serial number, the personal user information comprising user 
10 identification information and an address of a communication terminal. 

Figure 3 is a timing diagram illustrating the information exchange 
between a user, a point of presence, the authentication server and the 
communication terminals. 



15 Mode(s) for Carrying Out the Invention 

In Figure 1, the reference numeral 4 refers to an authentication 
server which comprises at least one computer with at least one processor 43, a 
database 41, and a computer-readable data carrier 42. The computer-readable 
data carrier 42 is encoded with data representing a computer program, that 
20 makes it possible to direct the computerised authentication server, respectively 
its processor(s), to execute the steps S1, S2, S3, S4, and S5, and to initiate the 
steps A1 , A2, A3 and A4, as will be described below. The authentication server 
4 can comprise an additional computer to run the database 41 . 

As is schematically illustrated in Figure 1 , the authentication server 4 
25 is connected to two communications networks 5 and 6. The communications 
network 5 is, for example, the Internet comprising the worldwide web. The 
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communications network 6 is, preferably, a mobile communications network, for 
example, a mobile radio network, e.g. a GSM (Global System foT Mobile 
Communications) or a UMTS network (Universal Mobile Telephone System) or 
another terrestrial or satellite-based mobile radio system. If fixed 

5 communications terminals 2 or 3 are used, the communications network 6 could 
also be a fixed communications terminal, for example the public switched 
telephone network (PSTN) or an ISDN-network (Integrated Services Digital 
Network). The function of the authentication server 4 is to control access of a 
user to a resource accessible through the communications network 5. The 

10 resource can be a computer hardware device or a computer software object, for 
example a computer program, a computer database, computer data, a 
computer directory or a web page. The resource can be located on a computer 
of the authentication server 4 or on a computer connected to the authentication 
server 4. 

15 In Figure 1 , examples of the user's communication terminals 1 , 2 and 

3 are illustrated. The communication terminal 1, for example a personal 
computer, is connected to the communications network 5, and is equipped to 
exchange data with the authentication server 4 over the communications 
network 5. The communication terminal 2 is a mobile communication terminal, 

20 for example a radio telephone, and is connected to the communications 

network 6, and is equipped to exchange data with the authentication server 4 
over the communications network 6. The communication terminal 3, for 
example a personal data organiser with a mobile radio telephone module, is 
connected to the communications networks 5 and 6, and is equipped to 

25 exchange data with the authentication server 4 over the communications 

networks 5 and 6. Thereby the communications network 5 may be accessed by 
the communication terminal 3 through the communications network 6, for 
example using additional means such as WAP (Wireless Application Protocol) 
and corresponding gateways. The communication terminals 2 and 3 are 

30 preferably personal communication terminals, each provided with a subscriber 
identification module (SIM) 21 or 31 , respectively, for example a SIM in the form 
of a chipcard. A SIM contains a unique user identification, for example an 
International Mobile Subscriber Identity (IMSI). Conventionally, in a database of 
the communications network 6, for example in the Home Location Register 
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(HLR), the user identification stored on the SIM is linked to the address (or 
phone number) of the communication terminal 1 or 3, respectively. 

With reference to Figure 3, the information exchange between the 
user 9, a point of presence 10, the authentication server 4 and the user's 
5 communication terminals 1, 2, and 3 will be explained in the following 
paragraphs. 

At a point of presence 10, for example a shop or a merchandising 
stand, the user 9 personally communicates in step U1 personal information 
such as name, mailing address and the address, e.g. the phone number, of his 
10 personal communication terminal 2 or 3, to a representative at the point of 
presence 10, after having provided proof of identity and proof of age by means 
of official documents such as a driver's license, a passport or another picture 
identification. 

In step P1, the personal information provided by the user is 
15 communicated to the database 41 of the authentication server 4 together with a 
serial number identifying a resource the user 9 is interested in. For example, 
the personal information is entered by means of a data entry terminal at the 
point of presence 10 and transmitted through a communications line to the 
authentication server 4. 

20 In exchange, the user 9 is handed in step P2 a computer-readable 

data carrier, for example a CD, a mini-disk, a chipcard or another suitable data 
storage module, which contains the serial number, for example in the form of a 
printed label, and location information for an entry point to the resource 
accessible through the communications network 5, for example an URL 

25 address (Uniform Resource Locator) of an entry page to the resource encoded 
as computer-readable data. The URL address is for example non-user-friendly 
represented by a string of many alphanumeric characters, e.g. 
http://72749/547etzjd4hb7dgdx/opeghfj633ore/9844378574rij", such that the 
location is unlikely to be traced by search engines and that the location 

30 information is difficult to be communicated to other users. Therefore, the CD 
preferably contains a computer program, from hereon called connection- 
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program, to direct the communication terminal 1 (or 3) to automatically connect 
to the location of the communications network 5 specified by the location 
information. 

In step S1, upon reception of the personal user information, user 
5 identification information is assigned to the user, for example a user (or log-in) 
name and a secret user (or log-in) password. Furthermore, in step S1 the 
personal user information together with the user identification information is 
stored in the database 41 according to the diagram shown in Figure 2. 
According to Figure 2, the personal user information 7 is linked to the serial 
10 number 8. The personal user information 7 comprises the user identification 
information 71 , including the user (or log-in) name 71 1 and the user (or log-in) 
password 712, the address (or phone number) 72 of the user's personal 
communication terminal, and possibly further personal user information 73. 

In step A1 the user identification information 71 , including the user 
15 name 71 1 and the user password 712, is communicated from the 

authentication server 4 to the user, for example by means of paper mail through 
the postal service or by means of e-mail or data messages transmitted to the 
personal communication terminal 2 or 3 identified by the address (or phone 
number) 72. 

20 When the user wants to access the resource identified by the serial 

number 8, he uses his communication terminal 1 or 3 to connect to the entry 
point of the resource on the communications network 5, preferably by inserting 
the data carrier containing the connection-program into the communication 
terminal 1 or 3, respectively. In step U2, the serial number is transmitted by the 

25 communication terminal 1 or 3, respectively, over the communications network 
5 to the authentication server 4, either automatically controlled by the 
connection-program or manually entered by the user upon request by the 
connection-program or the authentication server 4. Requests from the 
authentication server 4 are transmitted to the communication terminal 1 or 3, 

30 respectively, in a conventional way by means of software objects, for example 
HTML- (Hypertext Markup Language), XML- (Extended Markup Language) or 
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WML-objects (Wireless Markup Language) or executable programs such as 
Java-Applets (Java is a registered trademark of Sun Microsystems Inc.). 

In step S2, the authentication server 4 compares the serial number 
received from the communication terminal 1 or 3, respectively, over the 
5 communications network 5 to the serial numbers 8 stored in the database 41 . If 
the received serial number is validated as a legitimate serial number identifying 
a resource controlled by the authentication server 4, a request for entry of the 
user identification information is transmitted in step A2 by the authentication 
server 4 over the communications network 5 to the communication terminal 1 or 
10 3, respectively. 

In step U3, the user identification information, including the user 
name and the user password, entered by the user on his communication 
terminal 1 or 3, respectively, is transmitted over the communications network 5 
to the authentication server 4. 

15 In step S3, the authentication server 4 compares the user 

identification information received over the communications network 5 to the 
user identification information 71 stored in the database 41 and linked to the 
serial number 8 verified in step S2. If the received user identification information 
is validated, i.e. if it can be matched to user identification information linked to 

20 the serial number 8 validated in step S2, the authentication server 4 generates 
a challenge number. Verification of the user identity can also include verification 
of additional personal user information, such as name, mailing address or other 
personal information. The challenge number is a numeric or alphanumeric 
code, and is preferably generated by a random generator. The random 

25 generator is preferably implemented as a software program, but it could also be 
implemented as a hardware module. The challenge number is valid only for a 
one-time log-in during a limited time period, as will be described below. 

In step A3, the challenge code generated in step S3 is transmitted by 
the authentication server 4 over the communications network 6 to the 
- 30 communication terminal 2 or 3, respectively, which is identified by the address 
(or phone number) 72 linked to the user identification information 71 verified in 
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step S3. Preferably, the challenge code is transmitted by means of special data 
messages, for example by means of SMS (Short Message Services) or USSD 
messages (Unstructured Services Data Element). To increase security, the 
. challenge code can be transmitted in encrypted form. 

5 In step S4, a timer is started by the authentication server 4. The 

timer is preferably a decrementing timer started with a pre-defined time value, 
for example a value of one minute or thirty seconds or even less. The timer is 
software controlled, and is based on the clock of the processor 43 of the 
authentication server 4 or based on a separate hardware clock. 

10 The challenge code received from the authentication server 4 at the 

communication terminal 2 or 3, respectively, is either entered manually into the 
communication terminal 1 by the user upon request received from the 
authentication server 4 (not illustrated), or, in the optional step S6, it is 
automatically taken from the data message received from the authentication 

15 server 4 by a programmed relay module of the communication terminal 3, if the 
communication terminal 3 is used by the user to access both the 
communications networks 5 and 6. 

In step U4, the challenge code received from the authentication 
server 4, is transmitted by the communication terminal 1 or 3, respectively, over 
20 the communications network 5 to the authentication server 4. 

If the time value controlled by the timer has not been elapsed, i.e. if 
the elapsed time At does not exceed the time value set in step S4, the 
authentication server 4 compares in step S5 the challenge code received in 
step U4 to the challenge code transmitted in step A3. If the two codes coincide, 
25 the user is granted access to the resource identified by the serial number 8 in 
step A4. Preferably, at any given time, access to a resource identified by the 
serial number is granted only once to a particular user, thereby preventing that 
concurrent access to a resource is granted to more than one user identified by 
the same user identification information. 

30 
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Industrial Applicability 

The present invention can be used wherever user access to 
resources accessible over a communications network must be controlled, for 
example access to computer software objects such as computer programs, 
5 computer databases, computer data, computer directories or web pages, 
located on the Internet. 
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List of Reference Numerals 

1 Communication terminal (personal computer) 

2 Mobile communication terminal (mobile radio telephone) 

3 Mobile communication terminal (personal data assistant with radio 
5 telephone module) 

4 Authentication server 

5 Communications network (Internet) 

6 Communications network (mobile radio network) 

7 Personal user information 
10 8 Serial number 

9 User 

1 0 Point of presence 

21 , 31 Subscriber identification module (SIM-card) 

41 Database 

15 42 Data carrier 

43 Processor 

71 User identification information 

72 Address of personal communication terminal (phone number) 

73 Additional user information 
20 71 1 User (log-in) name 

712 User (log-in) password 

A1 Communication of user identification information 

A2 Request to enter user identification information 

A3 Transmission of generated challenge code 

25 A4 Granting user access to resource 

P1 Transmission of personal user information 

P2 Communication of serial number 

51 Recording of personal user information 

52 Verification of serial number 

30 S3 Verification of user identification information, generating challenge code 

54 Starting timer 

55 Verification of returned challenge code 

56 Relaying of received challenge code 

U1 Communication of personal user information 
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U2 Transmission of serial number 

U3 Transmission of user identification information 

U4 Transmission of received challenge code 

At Elapsed time 
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CLAIMS 

1. Method for controlling access of a user to a resource accessible 
through a first communications network (5), the user accessing the first 
communications network (5) by means of a first communication terminal (1, 3), 

5 personal user information (7) including user identification information (71) being 
stored on an authentication server (4) connected to the first communications 
network (5), and user identification information, entered by the user on the first 
communication terminal (1 , 3) and received at the authentication server (4) over 
the first communications network (5), being compared to the user identification 
10 information (71) stored on the authentication server (4), characterised 

in that an address (72) of a second communication terminal (2, 3) is 
stored as part of the personal user information (7), 

in that the authentication server (4) transmits a challenge code over 
a second communications network (6) to the second communication terminal 
15 (2, 3) identified by said address (72), after having validated the user 

identification information received from the first communication terminal (1 , 3), 

in that the challenge code received by the second communication 
terminal (2, 3) is transmitted by the first communication terminal (1 , 3) over the 
first communications network (5) to the authentication server (4), 

20 in that the authentication server (4) compares the challenge code 

received from the first communication terminal (1 , 3) to the challenge code 
transmitted to the second communication terminal (2, 3), and 

in that the authentication server (4) grants the user access to the 
resource after having validated the challenge code received from the first 
25 communication terminal (1 , 3). 

2. Method according to claim 1, characterised in that a timer is 
started by the authentication server (4) after the challenge code has been 
transmitted to the second communication terminal (2, 3), and in that the user is 
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denied access to the resource, if the challenge code is not received from the 
first communication terminal (1 , 3) within a pre-defined time period. 

3. Method according to one of the claims 1 or 2, characterised in that 
the personal user information (7) is linked to a serial number (8), the serial 

5 number (8) identifying the resource, and in that the user is requested to enter 
the serial number on the first communication terminal (1 , 3) prior to the entry of 
the user identification information. 

4. Method according to one of the claims 1 to 3, characterised in that 
the Internet is used as the first communications network (5), in that a mobile 

10 radio network is used as the second communications network (6), in that a 
mobile communication terminal is used as the second communication terminal 
(2, 3), in that the phone number assigned to the mobile communication terminal 
is used as the address, in that the challenge code is generated by means of a 
random generator, in that the challenge code is transmitted by the 

15 authentication server (4) over the mobile radio network to the mobile 

communication terminal, by means of data messages, and in that computer 
software objects are used as the resource. 

5. Computerised authentication server (4) for controlling access of a 
user to a resource accessible through a first communications network (5), the 

20 authentication server (4) being connected to the first communications network 
(5), the authentication server (4) comprising a database (41) containing 
personal user information (7) including user identification information (71), the 
authentication server (4) comprising means to compare user identification 
information, entered by the user on a first communication terminal (1 , 3) 

25 connected to the first communications network (5) and received at the 

authentication server (4) over the first communications network (5), to the user 
identification information (71) stored in the database (41), characterised 

in that the personal user information (7) includes an address (72) of 
a second communication terminal (2, 3), 
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in that the authentication server (4) is connected to a second 
communications network (6) and comprises means for transmitting a challenge 
code over the second communications network (6) to the second 
communication terminal (2, 3) identified by said address (72), after having 
5 validated the user identification information received from the first 
communication terminal (1 , 3), 

in that the authentication server (4) comprises means for receiving a 
challenge code from the first communication terminal (1 , 3) over the first 
communications network (5) and for comparing the challenge code received 
10 from the first communication terminal (1 , 3) to the challenge code transmitted to 
the second communication terminal (2, 3), and 

in that the authentication server (4) comprises means for granting the 
user of the first communication terminal (1 , 3) access to the resource after 
having validated the challenge code received from the first communication 
15 terminal (1 , 3). 

6. Authentication server (4) according to claim 5, characterised in 
that it comprises a timer and means for starting the timer after the challenge 
code has been transmitted to the second communication terminal (2, 3) and for 
denying the user access to the resource, if the challenge code is not received 

20 from the first communication terminal (1 , 3) within a pre-defined time period. 

7. Authentication server (4) according to one of the claims 5 or 6, 
characterised in that the personal user information (7) is linked to a serial 
number (8), the serial number (8) identifying the resource, and in that the 
authentication server (4) comprises means for requesting the user to enter the 

25 serial number on the first communication terminal (1 , 3) prior to the entry of the 
user identification information. 



8. Authentication server (4) according to one of the claims 5 to 7, 
characterised in that the first communications network (5) comprises the 
Internet, in that the second communications network (6) comprises a mobile 
30 radio network, in that the address (72) is a phone number assigned to a mobile 
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communication terminal in the mobile radio network, in that the authentication 
server (4) comprises a random generator to generate the challenge code, in 
that the authentication server (4) comprises means to transmit the challenge 
code over the mobile radio network in data messages, and in that the resource 
5 comprises computer software objects. 

9. Computer-readable data carrier (42), encoded with data 
representing a computer program, that makes it possible to direct a 
computerised server (4), connected to a first communications network (5) and 
comprising a database (41) containing personal user information (7) including 

10 user identification information (71), to compare user identification information, 
entered by the user on a first communication terminal (5) connected to the first 
communications network (5) and received at the authentication server (4) over 
the first communications network (5), to the user identification information 
stored in the database (41), characterised in that it further makes it possible to 

15 direct the computerised server (4) 

to store an address (72) of a second communication terminal (2, 3) 
as part of the personal user information (7), 

to transmit a challenge code over a second communications 
network, (6) connected to the computerised server (4), to the second 
20 communication terminal (2, 3), identified by said address (72), after having 
validated the user identification information received from the first 
communication terminal (1 , 3), 

to receive a challenge code from the first communication terminal (1 , 
3) over the first communications network (5) and to compare the challenge 
25 code received from the first communication terminal (1 , 3) to the challenge code 
transmitted to the second communication terminal (2, 3), and 

to grant the user of the first communication terminal (1 , 3) access to 
the resource after having validated the challenge code received from the first 
communication terminal (1 , 3). 
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10. Computer program product comprising: computer program code 
to direct a computerised server (4), connected to a first communications 
network (5) and comprising a database (41) containing persona! user 
information (7) including user identification information (71), to compare user 
5 identification information, entered by the user on a first communication terminal 
(5) connected to the first communications network (5) and received at the 
authentication server (4) over the first communications network (5), to the user 
identification information stored in the database (41), characterised in that it 
further makes it possible to direct the computerised server (4) 

io to store an address (72) of a second communication terminal (2, 3) 

as part of the personal user information (7), 

to transmit a challenge code over a second communications 
network, (6) connected to the computerised server (4), to the second 
communication terminal (2, 3), identified by said address (72), after having 
is validated the user identification information received from the first 
communication terminal (1 , 3), 

to receive a challenge code from the first communication terminal (1 , 
3) over the first communications network (5) and to compare the challenge 
code received from the first communication terminal (1 , 3) to the challenge code 
20 transmitted to the second communication terminal (2, 3), and 

to grant the user of the first communication terminal (1 , 3) access to 
the resource after having validated the challenge code received from the first 
communication terminal (1 , 3). 
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